# The cr.yp.to microblog: 2020.06.27 15:06:38

2020.06.27 15:06:38 (1276864517390036993) from Daniel J. Bernstein, replying to "Frank ⚡ (@jedisct1)" (1270337966746087430):

Page 31 of https://cr.yp.to/talks/2005.09.20/slides.pdf mentioned that setting high bit "avoids infinity and avoids timing attacks". This was six years before https://eprint.iacr.org/2011/232.pdf extracted keys from exactly this timing leak in OpenSSL. See also https://cr.yp.to/talks.html#2014.07.23 and https://mailarchive.ietf.org/arch/msg/cfrg/pt2bt3fGQbNF8qdEcorp-rJSJrc/.

2020.06.27 15:28:02 (1276869902813421569) from Daniel J. Bernstein:

The high bit is an example of a much broader success story: many security failures in cryptographic implementations can be predicted by cryptographic designers and proactively avoided through changes in designs. See, e.g., https://cr.yp.to/talks.html#2015.01.07 and https://blog.cr.yp.to/20191024-eddsa.html.

### Context

2020.06.09 14:28:19 (1270331893020491777) from "Steve (@Sc00bzT)", replying to "Steve (@Sc00bzT)" (1270331532490747904):

It breaks when:
(3*(q-2**252)-1)/2 ≤ x*y % q ≤ q - (3*(q-2**252)-1)/2
Where
2**251 ≤ x < 2**252
2**251 ≤ y < 2**252
and
s1 = 8*x
s2 = 8*y

2020.06.09 14:30:40 (1270332482555187200) from "Steve (@Sc00bzT)", replying to "Steve (@Sc00bzT)" (1270331893020491777):

To generate ones that don't work:
s1 = random()
s2 = invert(clamp(s1) >> 3, q) << 3
if s2 != clamp(s2)
s2 = 8*q - s2
if s2 != clamp(s2)
retry // very rare

2020.06.09 14:35:38 (1270333735897108482) from "Steve (@Sc00bzT)", replying to "Steve (@Sc00bzT)" (1270332482555187200):

The method tries (-s1*s2) (mod q) if (s1*s2) (mod q) fails because:
X25519_noclamp(x, P) == X25519_noclamp(q - x % q, P)
P.S. Clamping also prevents "clamp(x) == 0 (mod q)".

2020.06.09 14:52:27 (1270337966746087430) from "Frank ⚡ (@jedisct1)", replying to "Steve (@Sc00bzT)" (1270333735897108482):

Requiring the high bit to be set was a terrible decision. It never protected any specialized implementation, yet is utterly confusing and breaks associativity. And clamping was also applied to EdDSA for no good reasons.